Token revocation policy

Overview


When an access token (or refresh token) is invalidated using Authlete /auth/revocation API, the corresponding refresh token (or access token) will be invalidated at the same time. 

How Authlete handles token revocation requests


On receiving a revocation request form a client, an authorization server will call Authlete's  /auth/revocation API with "parameters" parameter that contains content of the revocation request.

The revocation request from the client contains the following parameters as defined in RFC 7009.
parameter
Required
value
token
yes
The token that the client wants to get revoked.
token_type_hint
no
 A hint about the type of the token 
submitted for revocation.


Authlete will assume the type of the token using the token_type_hint and look up the token of that type in its token database first. If no tokens of the type found, Authlete will next look up the token of the other type. If Authlete finds the token of either type, it will remove the token and corresponding one i.e. access token / refresh token pair.

In other words, the token_type_hint is not a parameter to specify the type of tokens to be removed. It is to help Authlete locate the token from its records. Authlete removes both the access token and the refresh token.

Details are as listed below.
token_type_hint
how to locate the token record
invalidation
(none)
look up the access token records first, and refresh token records next.
both access and refresh tokens
access_token
same as above
same as above
refresh_token
look up the refresh token records first, and access token records next.
same as above
How did we do with this article?